This is mostly my home play stuff
Adding Solaris 10 client to ldap proxy
domainname sus.local
domainname > /etc/defaultdomain
ldapclient init -v -a proxyDN=cn=proxyagent,ou=profile,dc=sus,dc=local -a proxyPassword=proxy_password -a domainName=sus.local -a profileName=default jorik.sus.local
Debug Ldap on solaris with ldaplist
ldaplist
dn: ou=profile,dc=sus,dc=local
dn: ou=People,dc=sus,dc=local
dn: ou=policies,dc=sus,dc=local
dn: nisMapName=auto_master,dc=sus,dc=local
dn: nisMapName=auto_home,dc=sus,dc=local
ldaplist -h
database default type objectclass
============= ================= =============
auto_* automountKey automount
automount automountMapName automountMap
publickey uidnumber niskeyobject
publickey cn niskeyobject
bootparams cn bootableDevice
ethers cn ieee802Device
group cn posixgroup
hosts cn iphost
ipnodes cn iphost
netgroup cn nisnetgroup
netmasks ipnetworknumber ipnetwork
networks ipnetworknumber ipnetwork
passwd uid posixaccount
protocols cn ipprotocol
rpc cn oncrpc
services cn ipservice
aliases cn mailGroup
project SolarisProjectID SolarisProject
printers printer-uri sunPrinter
auth_attr cn SolarisAuthAttr
prof_attr cn SolarisProfAttr
exec_attr cn SolarisExecAttr
user_attr uid SolarisUserAttr
audit_user uid SolarisAuditUser
listusers
anya el bizda
caroline el diablo
nathaniel 2nd Boss!
noaccess No Access User
nobody NFS Anonymous Access User
nobody4 SunOS 4.x NFS Anonymous Access User
poshpaws Da Boss!
sirbob Test User
tove der toad
Solaris 10 Native ldapclient pam.conf
# pam.conf.ldapv2_native_client
#
# http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view
#
# IMPORTANT NOTES from Gary Tay
#
# 1) This is a /etc/pam.conf with password management support that works for:
#
# Solaris10 Native LDAP Client
# Solaris9 Native LDAP Client provided that:
# – latest kernel patch and Patch 112960 are applied
# – all the pam_unix_cred.so.1 lines are commented out
# Solaris8 Native LDAP Client provided that:
# – latest kernel patch and Patch 108993 are applied
# – all the pam_unix_cred.so.1 lines are commented out
#
# 2) If modules for “sshd” or any are not defined, default is “other”
# as seen by output of “grep other /etc/pam.conf”
#
# Notes from Mark Janssen
#
# 3) SSH Pubkey authentication needs it’s own pam rules on sshd-pubkey
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#other session required pam_mkhomedir.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 debug server_policy
# Custom Stuff
# Allow ssh-pubkey (SUN-SSH) logins to work
sshd-pubkey account required pam_unix_account.so.1
openldap and Solaris automounts
Solaris uses different objectnames for automount maps
-bash-3.2$ ldaplist -h
database default type objectclass
============= ================= =============
auto_* automountKey automount
automount automountMapName automountMap
publickey uidnumber niskeyobject
publickey cn niskeyobject
for linux and others we use nisMapName rather than automountmap ... so in our profile we set up a objectclassmap and attributeMaps :
"default" profile
dn: cn=default,ou=profile,dc=sus,dc=local
objectClass: DUAConfigProfile
attributeMap: automount:automountMapName=nisMapName
attributeMap: automount:automountInformation=nisMapEntry
attributeMap: automount:automountKey=cn
authenticationMethod: simple
cn: default
credentialLevel: proxy
defaultSearchBase: dc=sus,dc=local
defaultSearchScope: one
defaultServerList: jorik.sus.local
followReferrals: TRUE
objectclassMap: automount:automountMap=nisMap
objectclassMap: automount:automount=nisObject
profileTTL: 43200
searchTimeLimit: 30
auto_home map
dn: nisMapName=auto_home,dc=sus,dc=local
objectClass: top
objectClass: nisMap
nisMapName: auto_home
dn: cn=poshpaws,nisMapName=auto_home,dc=sus,dc=local
objectClass: nisObject
cn: poshpaws
nisMapEntry: tombliboo:/store/shares/home/poshpaws
nisMapName: auto_home
dn: cn=sirbob,nisMapName=auto_home,dc=sus,dc=local
objectClass: nisObject
cn: sirbob
nisMapEntry: tombliboo:/store/shares/home/sirbob
nisMapName: auto_home
auto_master map
dn: nisMapName=auto_master,dc=sus,dc=local
objectClass: top
objectClass: nisMap
nisMapName: auto_master
slapd.conf on ldap master - no replication ....yet
root@jorik:~# cat /etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration etcions.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/solaris.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/sudo.schema
TLSCACertificateFile /etc/openldap/etc/cacert.pem
TLSCertificateFile /etc/openldap/etc/servercrt.pem
TLSCertificateKeyFile /etc/openldap/etc/serverkey.pem
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
# modulepath %MODULEDIR%
# moduleload back_bdb.la
# moduleload back_hdb.la
# moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
access to dn.subtree="ou=People,dc=sus,dc=local"
attrs=userPassword
by dn="cn=proxyagent,ou=profile,dc=sus,dc=local" write
by self write
by anonymous auth
by * read
access to *
by * read
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=sus,dc=local"
rootdn "cn=Manager,dc=sus,dc=local"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw -- REDACTED --
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/openldap
# Indices to maintain
index objectClass eq
#REPLICATION#
#Monitor DB#
database monitor
rootdn "cn=monitoring,cn=Monitor"
rootpw monitoring
### hash out the TLS section to use as is or set up your cetificates
###
ldap.conf
BASE dc=sus,dc=local
URI ldap://jorik.sus.local ldap://jorik.sus.local:666
TLS_CACERT /etc/openldap/etc/cacert.pem
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
OPEN_LDAP_SLAPD_PARAMS="-d -1"
Slapcat output for Primary server
use at your own risk!!!!!
dn: dc=sus,dc=local
associatedDomain: sus.local
dc: sus
objectClass: top
objectClass: dcObject
objectClass: domain
objectClass: domainRelatedObject
objectClass: nisDomainObject
nisDomain: sus.local
structuralObjectClass: domain
entryUUID: 8e0ded54-302d-102e-8bad-f70f0db79532
creatorsName: cn=Manager,dc=sus,dc=local
createTimestamp: 20090907190821Z
entryCSN: 20090907190821.862902Z#000000#000#000000
modifiersName: cn=Manager,dc=sus,dc=local
modifyTimestamp: 20090907190821Z
dn: ou=profile,dc=sus,dc=local
ou: profile
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 8e169224-302d-102e-8bae-f70f0db79532
creatorsName: cn=Manager,dc=sus,dc=local
createTimestamp: 20090907190821Z
entryCSN: 20090907190821.919555Z#000000#000#000000
modifiersName: cn=Manager,dc=sus,dc=local
modifyTimestamp: 20090907190821Z
dn: ou=People,dc=sus,dc=local
ou: People
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 8e1c0ca4-302d-102e-8bb2-f70f0db79532
creatorsName: cn=Manager,dc=sus,dc=local
createTimestamp: 20090907190821Z
entryCSN: 20090907190821.955459Z#000000#000#000000
modifiersName: cn=Manager,dc=sus,dc=local
modifyTimestamp: 20090907190821Z
dn: cn=proxyagent,ou=profile,dc=sus,dc=local
userPassword:: redacted
objectClass: top
objectClass: person
sn: proxyagent
cn: proxyagent
structuralObjectClass: person
entryUUID: 8e1d5e92-302d-102e-8bb3-f70f0db79532
creatorsName: cn=Manager,dc=sus,dc=local
createTimestamp: 20090907190821Z
entryCSN: 20090907190821.964110Z#000000#000#000000
modifiersName: cn=Manager,dc=sus,dc=local
modifyTimestamp: 20090907190821Z
dn: cn=default,ou=profile,dc=sus,dc=local
defaultSearchBase: dc=sus,dc=local
authenticationMethod: simple
followReferrals: TRUE
profileTTL: 43200
searchTimeLimit: 30
objectClass: DUAConfigProfile
defaultServerList: jorik.sus.local
credentialLevel: proxy
cn: default
defaultSearchScope: one
structuralObjectClass: DUAConfigProfile
entryUUID: 8e1ec020-302d-102e-8bb4-f70f0db79532
creatorsName: cn=Manager,dc=sus,dc=local
createTimestamp: 20090907190821Z
objectclassMap: automount:automountMap=nisMap
objectclassMap: automount:automount=nisObject
attributeMap: automount:automountMapName=nisMapName
attributeMap: automount:automountInformation=nisMapEntry
attributeMap: automount:automountKey=cn
entryCSN: 20090916184551.207022Z#000000#000#000000
modifiersName: cn=Manager,dc=sus,dc=local
modifyTimestamp: 20090916184551Z
dn: cn=tls_profile,ou=profile,dc=sus,dc=local
defaultSearchBase: dc=sus,dc=local
authenticationMethod: tls:simple
followReferrals: FALSE
bindTimeLimit: 10
profileTTL: 43200
searchTimeLimit: 30
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: jorik.sus.local
credentialLevel: proxy
cn: tls_profile
serviceSearchDescriptor: passwd: ou=People,dc=sus,dc=local
serviceSearchDescriptor: group: ou=Group,dc=sus,dc=local
serviceSearchDescriptor: shadow: ou=People,dc=sus,dc=local
serviceSearchDescriptor: netgroup: ou=netgroup,dc=sus,dc=local
serviceSearchDescriptor: sudoers: ou=SUDOers,dc=sus,dc=local
defaultSearchScope: one
structuralObjectClass: DUAConfigProfile
entryUUID: 8e2018c6-302d-102e-8bb5-f70f0db79532
creatorsName: cn=Manager,dc=sus,dc=local
createTimestamp: 20090907190821Z
entryCSN: 20090907190821.981985Z#000000#000#000000
modifiersName: cn=Manager,dc=sus,dc=local
modifyTimestamp: 20090907190821Z
dn: ou=policies,dc=sus,dc=local
ou: policies
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 8e2165b4-302d-102e-8bb6-f70f0db79532
creatorsName: cn=Manager,dc=sus,dc=local
createTimestamp: 20090907190821Z
entryCSN: 20090907190821.990496Z#000000#000#000000
modifiersName: cn=Manager,dc=sus,dc=local
modifyTimestamp: 20090907190821Z
dn: uid=sirbob,ou=People,dc=sus,dc=local
shadowMin: 5
sn: User
loginShell: /bin/bash
uidNumber: 9999
gidNumber: 1000
shadowFlag: 0
shadowExpire: -1
shadowMax: 99999
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
gecos: Test User
shadowLastChange: 0
shadowInactive: -1
shadowWarning: 7
structuralObjectClass: organizationalPerson
entryUUID: 8e22738c-302d-102e-8bb7-f70f0db79532
creatorsName: cn=Manager,dc=sus,dc=local
createTimestamp: 20090907190821Z
uid: sirbob
cn: sirbob
userPassword:: REDACTED
homeDirectory: /home/sirbob
entryCSN: 20090916180215.169238Z#000000#000#000000
modifiersName: cn=Manager,dc=sus,dc=local
modifyTimestamp: 20090916180215Z
dn: uid=poshpaws,ou=People,dc=sus,dc=local
shadowMin: 5
sn: poshpaws
loginShell: /bin/bash
uidNumber: 100
gidNumber: 100
shadowFlag: 0
shadowExpire: -1
shadowMax: 99999
uid: poshpaws
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
shadowLastChange: 0
cn: poshpaws
homeDirectory: /home/poshpaws
shadowInactive: -1
shadowWarning: 7
structuralObjectClass: organizationalPerson
entryUUID: 8e23e55a-302d-102e-8bb8-f70f0db79532
creatorsName: cn=Manager,dc=sus,dc=local
createTimestamp: 20090907190822Z
gecos: Da Boss!
userPassword:: REDACTED=
entryCSN: 20090910135618.382761Z#000000#000#000000
modifiersName: cn=Manager,dc=sus,dc=local
modifyTimestamp: 20090910135618Z
dn: uid=caroline,ou=People,dc=sus,dc=local
loginShell: /bin/bash
sn: caroline
shadowMin: 5
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 100
uid: caroline
shadowMax: 99999
shadowLastChange: 0
shadowInactive: -1
uidNumber: 101
gecos: el diablo
shadowWarning: 7
shadowExpire: -1
cn: caroline
shadowFlag: 0
userPassword: REDACTED
homeDirectory: /home/caroline
structuralObjectClass: organizationalPerson
entryUUID: d10f4fd2-30b2-102e-8059-810d90ea5dc3
creatorsName: cn=Manager,dc=sus,dc=local
createTimestamp: 20090908110217Z
entryCSN: 20090908110217.344365Z#000000#000#000000
modifiersName: cn=Manager,dc=sus,dc=local
modifyTimestamp: 20090908110217Z
dn: uid=anya,ou=People,dc=sus,dc=local
loginShell: /bin/bash
sn: anya
shadowMin: 5
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 100
uid: anya
shadowMax: 99999
shadowLastChange: 0
shadowInactive: -1
uidNumber: 102
gecos: el bizda
shadowWarning: 7
shadowExpire: -1
cn: anya
shadowFlag: 0
userPassword: REDACTED
Very Good reference
http://blog.maniac.nl/setting-up-ldap-with-openldap-server-solaris-10-aix-61-and-linux-clients/